Add role readmes

README.md

@@ -7,3 +7,6 @@ To add a new role:
   1. usually meta/main.yml with depend on container
   1. README.md
 1. Add docs to docs/
+
+The following roles have default versions which should probably be overridden:
+- wordpress: `wordpress_tag`

docs/container.md

@@ -0,0 +1 @@
+Please see `roles/container/meta/arguments_specs.yml` for all possible variables

docs/jitsi.md

@@ -7,3 +7,11 @@ ports:
 
 jitsi_domain: 'jitsi.domain.tld'
 ```
+
+These vars are optional:
+
+```
+# for TURN, no turn server is used if not defined
+turn_domain: turn.domain.tld
+turn_secret: secret
+```

docs/unifi.md

@@ -0,0 +1,14 @@
+Unifi is installed with host network mode.
+
+# Required variables
+These variables are required. Example values included. Some general variables might also be required for this role.
+
+```
+ports:
+  unifi:
+    https: 8443
+
+docker_vhost_domains: 
+  unifi:
+    - unifi.domain.tld
+```

docs/wordpress.md

@@ -0,0 +1,21 @@
+# Required variables
+These variables are required. Example values included.
+
+```
+ports:
+  wordpress_http: 8080
+
+docker_vhost_domains:
+  wordpress:
+    - wordpress.domain.tld
+
+database_passwords:
+  wordpress: secret
+```
+
+# Optional variables
+These variables have default values listed below
+
+```
+wordpress_tag: php8.1
+```

galaxy.yml

@@ -2,11 +2,12 @@
 
 namespace: uumas
 name: docker
-version: 0.5.3
+description: Roles for installing services in docker containers
+version: 0.8.0
 readme: README.md
 repository: https://git.uumas.fi/uumas/ansible-docker
 license_file: LICENSE
 dependencies:
-  uumas.general: '>=0.5.0'
+  uumas.general: '>=0.5.5'
 authors:
   - uumas

roles/alpine/README.md

@@ -0,0 +1 @@
+Sets up an alpine docker container. To be used as a template for other roles.

roles/alpine/meta/argument_specs.yml

@@ -0,0 +1,39 @@
+---
+
+argument_specs:
+  main:
+    short_description: Alpine container
+    description: "Sets up an alpine docker container. This role can be used as a template for other roles using the container role."
+    options:
+
+      # All options after this will be passed directly to the container role
+      docker_service_suffix:
+        description: "Passed to container role"
+        required: false
+      docker_host_user:
+        description: "Passed to container role"
+        required: false
+
+      database_passwords:
+        description: "Passed to container role"
+        required: false
+      docker_additional_services:
+        description: "Passed to container role"
+        required: false
+
+      docker_volume_type:
+        description: "Passed to container role"
+        required: false
+      reverse_proxy_type:
+        description: "Passed to container role"
+        required: false
+      ports:
+        description: "Passed to container role"
+        required: false
+      docker_vhost_domains:
+        description: "Passed to container role"
+        required: false
+      docker_entrypoint:
+        description: "Passed to container role"
+        required: false
+

roles/alpine/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Alpine container
+  import_role:
+    name: container
+  vars:
+    docker_service: alpine
+    docker_image: alpine
+    docker_image_http_port: 8080
+    docker_database: postgres
+    docker_mounts:
+      - name: data
+        path: /data
+    docker_env:
+      TZ: "{{ timezone }}"

roles/container/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
 
-reverse_proxy_type: caddy
-docker_additional_env: {}
-docker_published_ports: []
+docker_host_user: false
+docker_volume_type: named

roles/container/meta/argument_specs.yml

@@ -0,0 +1,119 @@
+---
+
+argument_specs:
+  main:
+    short_description: Docker container
+    description: "Sets up a docker container. Supports defining networks, building a custom image, setting up memcached, databases and a reverse proxy, creating a user on the host to run the container as, named volumes, bind mounts (either auto-created or existing)."
+    options:
+      docker_service:
+        description: "The name of the docker service (example: gitea)"
+        type: str
+        required: true
+      docker_service_suffix:
+        description: "A suffix used to allow running multiple instances of the same service on a host. If docker_service is gitea and docker_service_suffix production, the container will be gitea_production"
+        type: str
+        required: false
+      docker_image:
+        description: "Docker image to use for the container. If dockerfile is defined, it will be used as base for locally built image (example: gitea/gitea:latest)"
+        type: str
+        required: true
+      docker_host_user:
+        description: "If true, creates a user on the host for this service. The container will run as this user's uid/gid. Bind mount volumes will be owned by this user."
+        type: bool
+        required: false
+        default: true
+
+      docker_database:
+        description: "Database type to set up. It will be run in a docker container accessible to the service at host <service name (with _suffix if suffix is defined)>_db on default port."
+        type: str
+        required: false
+        choices:
+          - postgres
+          - mariadb
+          - mongo
+          - none
+        default: none
+      database_passwords:
+        description: "database_passwords[docker_service] is a string with the password used for communication between the service and database. Required if docker_database is postgres or mariadb"
+        type: dict
+        required: false
+      docker_additional_services:
+        description: "List of additional services to configure (in separate containers). These will be accessible with hostname <docker_service_name>[_suffix]_<additional_service>"
+        type: list
+        required: false
+        elements: str
+        choices:
+          - memcached
+        default: []
+
+      docker_volume_type:
+        description: "Defines whether to use named volumes or bind mounts for mounts with name"
+        type: str
+        required: false
+        choices:
+          - named
+          - bind
+        default: named
+      docker_volumes:
+        description: "DEPRECATED List of docker volumes to mount inside the container. Use docker_mounts instead. DEPRECATED"
+        type: list
+        required: false
+        default: []
+        elements: str
+      docker_mounts:
+        description: "List of bind mounts or volumes to be mounted inside the container. Each element is a dict with path and exactly one of name, src or template"
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          path:
+            description: "The path inside the container to mount at"
+            type: str
+            required: true
+          name:
+            description: "If docker_volume_type is named, the name of the named volume to be mounted at path. If docker_volume_type is bind, the name of the folder to create under /opt/<service>[/suffix]/mounts/ and mount at path."
+            type: str
+            required: false
+          src:
+            description: "Host path to bind mount inside the container."
+            type: str
+            required: false
+          template:
+            description: "Name of template without .j2 extension. Will be templated at /opt/<service>[/suffix]/mounts/<template> and mounted inside the container."
+            type: str
+            required: false
+      reverse_proxy_type:
+        description: "Defines which kind of reverse proxy to configure for the container. Traefik support is experimental."
+        type: str
+        required: false
+        choices:
+          - caddy
+          - traefik
+          - none
+        default: caddy
+      docker_image_http_port:
+        description: "The port for http listener inside the container. Will be mapped to the host port defined in ports. Required if reverse_proxy_type is not none."
+        type: int
+        required: false
+      ports:
+        description: "ports[docker_service]['http'] or ports[docker_service]['https'] defines the port on which the container will listen on for reverse proxy connections. Required if reverse_proxy_type is caddy."
+        type: dict
+      docker_vhost_domains:
+        description: "docker_vhost_domains[docker_service] is a list which defines which domains should be proxied to the container. Required if reverse_proxy_type is not none"
+        type: dict
+      docker_published_ports:
+        description: "A list of published ports in docker format (<host listen address>:<host port>:<container port>)"
+        type: list
+        required: false
+        default: []
+      docker_env:
+        description: "A dict of environment variables for the container"
+        type: dict
+        required: false
+        default: {}
+      docker_entrypoint:
+        description: "Docker entrypoint as list of command and arguments"
+        type: list
+        required: false
+        elements: str

roles/container/meta/main.yml

@@ -1,10 +1,4 @@
 ---
 
 dependencies:
-  - docker
-  - role: uumas.general.reverse_proxy
-    vhost_id: "{{ docker_service }}"
-    vhost_domains: "{{ docker_vhost_domains[docker_service] }}"
-    proxy_target_protocol: "{{ docker_proxy_target_protocol | default('http') }}"
-    proxy_target_port: "{{ ports[docker_service][proxy_target_protocol] }}"
-    when: reverse_proxy_type != 'none' and reverse_proxy_type != 'traefik'
+  - role: docker

roles/container/tasks/database.yml

@@ -0,0 +1,47 @@
+---
+
+- name: Set postgres container vars
+  set_fact:
+    db_container_image: 'postgres:14-alpine'
+    db_container_env:
+      POSTGRES_USER: "{{ docker_service_name }}"
+      POSTGRES_PASSWORD: "{{ database_passwords[docker_service_name] }}"
+    db_container_data: /var/lib/postgresql/data
+  when: docker_database == 'postgres'
+
+- name: Set mariadb container vars
+  set_fact:
+    db_container_image: mariadb:10
+    db_container_env:
+      MARIADB_USER: "{{ docker_service_name }}"
+      MARIADB_DATABASE: "{{ docker_service_name }}"
+      MARIADB_PASSWORD: "{{ database_passwords[docker_service_name] }}"
+      MARIADB_RANDOM_ROOT_PASSWORD: "{{ database_passwords[docker_service_name + '_root'] is not defined | string }}"
+      MARIADB_ROOT_PASSOWRD: "{{ database_passwords[docker_service_name + '_root'] | default(omit) }}"
+    db_container_data: /var/lib/mysql
+    db_image_port: 3306
+  when: docker_database == 'mariadb'
+
+- name: Set mongo container vars
+  set_fact:
+    db_container_image: 'mongo:latest'
+    db_container_data: /data/db
+  when: docker_database == 'mongo'
+
+- name: Set db published ports var
+  set_fact:
+    db_published_ports: ["127.0.0.1:{{ ports[docker_service_name].db }}:{{ db_image_port }}"]
+  when: ports[docker_service_name].db is defined
+
+- name: Database container for {{ docker_service_name + ' (' + docker_database + ')' }}
+  docker_container:
+    name: "{{ docker_service_name }}_db"
+    image: "{{ db_container_image }}"
+    pull: true
+    env: "{{ db_container_env | default(omit) }}"
+    published_ports: "{{ db_published_ports | default(omit) }}"
+    restart_policy: always
+    volumes:
+      - "{{ docker_service_name }}_db:{{ db_container_data }}"
+    networks: "{{ container_networks | default(omit) }}"
+    log_driver: local

roles/container/tasks/host_user.yml

@@ -0,0 +1,14 @@
+---
+
+- name: "Create user for {{ docker_service_name }}"
+  user:
+    name: "{{ docker_service_name }}"
+    home: "/opt/{{ docker_service }}/{{ docker_service_suffix | default('') }}"
+    create_home: false
+    system: true
+    shell: /bin/bash
+  register: user
+
+- name: Set docker container user
+  set_fact:
+    docker_user: "{{ user.uid }}:{{ user.group }}"

roles/container/tasks/image.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Image build
+  when: dockerfile is defined and dockerfile | length > 0
+  block:
+    - name: Put dockerfile in place
+      template:
+        src: Dockerfile.j2
+        dest: "/opt/{{ docker_service }}/Dockerfile"
+        mode: 0644
+
+    - name: Build docker image for {{ docker_service }}
+      docker_image:
+        name: "local_{{ docker_service }}"
+        source: build
+        force_source: true
+        build:
+          pull: true
+          path: "/opt/{{ docker_service }}"
+      register: built_image
+
+- name: Pull container image for {{ docker_service }}
+  docker_image:
+    name: "{{ docker_image }}"
+    source: pull
+    force_source: true
+  register: pulled_image
+  when: dockerfile is not defined or dockerfile | length == 0
+
+- name: Set container_image variable
+  set_fact:
+    container_image: "{{ item.image }}"
+  when: item.skipped is not defined or not item.skipped
+  loop:
+    - "{{ built_image }}"
+    - "{{ pulled_image }}"
+
+- name: Check mode image info
+  when: ansible_check_mode
+  block:
+    - name: Get docker image info for check mode
+      docker_image_info:
+        name: "{{ ('local_' + docker_service) if dockerfile is defined and dockerfile | length > 0 else docker_image }}"
+      register: existing_image
+
+    - name: Set check mode container_image variable
+      set_fact:
+        container_image: "{{ existing_image.images[0] }}"
+      when: existing_image.images | length > 0
+
+- name: Set image user variable
+  set_fact:
+    image_user: "{{ container_image.Config.User }}"
+  when:
+    - not ansible_check_mode
+    - container_image.Config.User | length > 0

roles/container/tasks/init.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Reset variables
+  set_fact:
+    docker_volume_definition: []
+    container_published_ports: []
+    docker_volumes_new: []
+    final_docker_volumes: "{{ docker_volumes }}"
+    container_image: ''
+
+- name: Set docker service full name
+  set_fact:
+    docker_service_name: "{{ docker_service }}_{{ docker_service_suffix }}"
+  when: docker_service_suffix is defined
+
+
+- name: Warn about docker_volumes legacy format
+  debug:
+    msg: "docker_volumes is deprecated. This support may be removed after december 2022. Use docker_mounts instead!"
+  when: docker_volumes | length > 0
+
+- name: Convert docker_volumes from legacy format
+  when: docker_volumes | length > 0 and docker_volumes[0] is not mapping
+  block:
+    - name: Add legacy docker volumes to docker_volumes_new using the new format
+      set_fact:
+        docker_volumes_new: "{{ docker_volumes_new | default([]) + [{'name': item.split(':')[0] | regex_replace('^' + docker_service_name + '_', ''), 'path': item.split(':')[1]}] }}"
+      when: "'/' not in item.split(':')[0]"
+      loop: "{{ docker_volumes }}"
+    - name: Add legacy docker src bind mounts to docker_volumes_new using the new format
+      set_fact:
+        docker_volumes_new: "{{ docker_volumes_new | default([]) + [{'src': item.split(':')[0], 'path': item.split(':')[1]}] }}"
+      when: "'/' in item.split(':')[0]"
+      loop: "{{ docker_volumes }}"
+    - name: Set final_docker_volumes variable
+      set_fact:
+        final_docker_volumes: "{{ docker_volumes_new }}"
+
+- name: Convert final_docker_volumes to docker_mounts
+  set_fact:
+    docker_mounts: "{{ final_docker_volumes }}"
+  when: docker_mounts | length == 0 and final_docker_volumes | length > 0

roles/container/tasks/main.yml

@@ -1,65 +1,80 @@
 ---
 
-- name: "{{ docker_service }} docker network"
-  docker_network:
-    name: "{{ docker_service }}"
-  when: docker_network_mode is not defined or docker_network_mode != 'host'
+- name: Container role initialization
+  import_tasks: init.yml
 
-- name: Set published ports variable
-  set_fact: 
-    container_published_ports: ["127.0.0.1:{{ ports[docker_service][proxy_target_protocol] }}:{{ docker_image_http_port }}"]
-  when: reverse_proxy_type != 'traefik' and (docker_network_mode is not defined or docker_network_mode != 'host')
-
-- name: Set networks variable
+- name: Docker network
+  when: docker_network_mode is not defined or docker_network_mode != 'host' or docker_networks | length > 0
+  block:
+    - name: Set networks variable to {{ docker_service_name }}
       set_fact:
         container_networks:
-      - name: "{{ docker_service }}"
-  when: docker_network_mode is not defined or docker_network_mode != 'host'
-
-- name: Include traefik vars
-  include_vars: traefik.yml
-  when: reverse_proxy_type == 'traefik'
-
-- name: Set postgres container env
+          - name: "{{ docker_service_name }}"
+      when: docker_networks | length == 0
+    - name: Set networks variable to {{ docker_networks }}
       set_fact:
-    db_container_image: 'postgres:14-alpine'
-    db_container_env:
-      POSTGRES_USER: "{{ docker_service }}"
-      POSTGRES_PASSWORD: "{{ database_passwords[docker_service] }}"
-    db_container_data: /var/lib/postgresql/data
-  when: docker_database is defined and docker_database == 'postgres'
-- name: Set mongo container env
-  set_fact:
-    db_container_image: 'mongo:latest'
-    db_container_data: /data/db
-  when: docker_database is defined and docker_database == 'mongo'
+        container_networks: "{{ docker_networks }}"
+      when: docker_networks | length > 0
+    - name: Create docker networks
+      docker_network:
+        name: "{{ item.name }}"
+      loop: "{{ container_networks }}"
 
-- name: "{{ docker_database }} database container for {{ docker_service }}"
-  docker_container:
-    name: "{{ docker_service }}_db"
-    image: "{{ db_container_image }}"
-    pull: yes
-    container_default_behavior: no_defaults
-    env: "{{ db_container_env | default(omit) }}"
-    restart_policy: always
-    volumes:
-      - "{{ docker_service }}_db:{{ db_container_data }}"
-    networks: "{{ container_networks | default(omit) }}"
-  when: docker_database is defined
+- name: Reverse proxy for container
+  include_tasks: proxy.yml
+  when: reverse_proxy_type != 'none'
 
-- name: "Container for {{ docker_service }}"
+- name: Database container
+  include_tasks: database.yml
+  when: docker_database != 'none'
+
+- name: Additional services
+  when: docker_additional_services is defined
+  block:
+    - name: "Memcached container for {{ docker_service_name }}"
       docker_container:
-    name: "{{ docker_service }}"
-    image: "{{ docker_image }}"
+        name: "{{ docker_service_name }}_memcached"
+        image: memcached:alpine
         pull: true
-    container_default_behavior: no_defaults
-    volumes: "{{ docker_volumes | default(omit) }}"
-    published_ports: "{{ container_published_ports | default([]) + docker_published_ports | default(omit) }}"
+        restart_policy: always
+        networks: "{{ container_networks | default(omit) }}"
+        log_driver: local
+      when: "'memcached' in docker_additional_services"
+
+- name: Create directory /opt/{{ docker_service }}
+  file:
+    path: "/opt/{{ docker_service }}"
+    state: directory
+    mode: 0755
+  when: (dockerfile is defined and dockerfile | length > 0) or docker_host_user or docker_volume_type == 'bind'
+
+- name: Container image
+  import_tasks: image.yml
+
+- name: Container user
+  include_tasks: host_user.yml
+  when: docker_host_user
+
+- name: Container volumes
+  import_tasks: volumes.yml
+
+- name: "Container for {{ docker_service_name }}"
+  docker_container:
+    name: "{{ docker_service_name }}"
+    image: "{{ container_image.Id if container_image != '' else docker_image }}"
+    user: "{{ docker_user if docker_host_user else omit }}"
+    mounts: "{{ docker_volume_definition }}"
+    published_ports: "{{ container_published_ports + docker_published_ports }}"
     labels: "{{ traefik_labels | default(omit) }}"
     env: "{{ docker_env | combine(docker_additional_env) }}"
     entrypoint: "{{ docker_entrypoint | default(omit) }}"
     restart_policy: always
     network_mode: "{{ docker_network_mode | default(omit) }}"
     networks: "{{ container_networks | default(omit) }}"
+    log_driver: local
   register: container_out
 
+- name: Reset docker_mounts if converted from docker_volumes
+  set_fact:
+    docker_mounts: []
+  when: final_docker_volumes | length > 0

roles/container/tasks/proxy.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Reverse proxy
+  include_role:
+    name: uumas.general.reverse_proxy
+  vars:
+    vhost_id: "{{ docker_service_name }}"
+    proxy_target_protocol: "{{ docker_proxy_target_protocol }}"
+    vhost_domains: "{{ docker_vhost_domains[docker_service_name] }}"
+    proxy_target_port: "{{ ports[docker_service_name][proxy_target_protocol] }}"
+  when: reverse_proxy_type != 'traefik'
+
+- name: Set published ports variable to http port
+  set_fact:
+    container_published_ports: ["127.0.0.1:{{ ports[docker_service_name][docker_proxy_target_protocol] }}:{{ docker_image_http_port }}"]
+  when:
+    - docker_network_mode is not defined or docker_network_mode != 'host'
+    - reverse_proxy_type != 'traefik'
+
+- name: Include traefik vars
+  include_vars: traefik.yml
+  when: reverse_proxy_type == 'traefik'

roles/container/tasks/volumes.yml

@@ -0,0 +1,74 @@
+---
+
+- name: Create directories and put files in them
+  when:
+    - docker_mounts | length > 0
+    - (docker_volume_type == 'bind' and docker_mounts | selectattr('name', 'defined') | list | length > 0) or (docker_mounts | selectattr('template', 'defined') | list | length > 0)
+  block:
+    - name: Create directory /opt/{{ docker_service + '/' + docker_service_suffix }}
+      file:
+        path: "/opt/{{ docker_service }}/{{ docker_service_suffix }}"
+        state: directory
+        owner: "{{ user.uid | default(omit) }}"
+        group: "{{ user.group | default(omit) }}"
+        mode: 0755
+      when: docker_service_suffix is defined
+
+    - name: Set docker_mounts_dir
+      set_fact:
+        docker_mounts_dir: "/opt/{{ docker_service }}/{{ docker_service_suffix }}/mounts"
+      when: docker_service_suffix is defined
+    - name: Set docker_mounts_dir
+      set_fact:
+        docker_mounts_dir: "/opt/{{ docker_service }}/mounts"
+      when: docker_service_suffix is not defined
+ 
+    - name: Create directory {{ docker_mounts_dir }}
+      file:
+        path: "{{ docker_mounts_dir }}"
+        state: directory
+        owner: "{{ user.uid | default(omit) }}"
+        group: "{{ user.group | default(omit) }}"
+        mode: 0700
+    - name: Define mounts directory owner
+      set_fact:
+        mount_owner: "{{ user.uid if docker_host_user else image_user | default('') }}"
+        mount_group: "{{ user.group if docker_host_user else '' }}"
+
+    - name: "Create docker bind mount directories for {{ docker_service_name }}"
+      file:
+        path: "{{ docker_mounts_dir }}/{{ item.name }}"
+        state: directory
+        owner: "{{ mount_owner if (item.set_owner is not defined or item.set_owner) and mount_owner | length > 0 else omit }}"
+        group: "{{ mount_group if (item.set_group is not defined or item.set_group) and mount_group | length > 0 else omit }}"
+      when: item.name is defined
+      loop: "{{ docker_mounts }}"
+    - name: Set docker_volume_definition for named binds
+      set_fact:
+        docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_mounts_dir + '/' + item.name, 'target': item.path, 'type': 'bind'}] }}"
+      when: item.name is defined
+      loop: "{{ docker_mounts }}"
+
+    - name: Template docker template mounts for {{ docker_service_name }}
+      template:
+        src: "{{ item.template }}.j2"
+        dest: "{{ docker_mounts_dir }}/{{ item.template }}"
+      when: item.template is defined
+      loop: "{{ docker_mounts }}"
+    - name: Set docker_volume_definition for template mounts
+      set_fact:
+        docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_mounts_dir + '/' + item.template, 'target': item.path, 'type': 'bind', 'read_only': true}] }}"
+      when: item.template is defined
+      loop: "{{ docker_mounts }}"
+
+- name: Set docker_volume_definition for named volumes
+  set_fact:
+    docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_service_name + '_' + item.name, 'target': item.path, 'type': 'volume'}] }}"
+  when: docker_volume_type == 'named' and item.name is defined
+  loop: "{{ docker_mounts }}"
+
+- name: Set docker_volume_definition for src binds
+  set_fact:
+    docker_volume_definition: "{{ docker_volume_definition + [{'source': item.src, 'target': item.path, 'type': 'bind'}] }}"
+  when: item.src is defined
+  loop: "{{ docker_mounts }}"

roles/container/templates/Dockerfile.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+FROM {{ docker_image }}
+{% if dockerfile.run is iterable %}
+{% for cmd in dockerfile.run %}
+RUN {{ cmd }}
+{% endfor %}
+{% endif %}
+

roles/container/vars/main.yml

@@ -0,0 +1,15 @@
+---
+
+docker_service_name: "{{ docker_service }}"
+
+reverse_proxy_type: caddy
+docker_proxy_target_protocol: http
+
+docker_additional_env: {}
+docker_database: none
+docker_volumes: [] # DEPRECATED
+docker_mounts: []
+docker_networks: []
+docker_env: {}
+
+docker_published_ports: []

roles/container/vars/traefik.yml

@@ -2,5 +2,5 @@
 
 traefik_labels:
   traefik.enable: 'true'
-  "traefik.http.routers.{{ docker_service }}.rule": "Host(`{{ vhost_domains[docker_service] | join('`) || Host(`') }}`)"
-  "traefik.http.routers.{{ docker_service }}.tls.certresolver": 'le'
+  "traefik.http.routers.{{ docker_service_name }}.rule": "Host(`{{ vhost_domains[docker_service_name] | join('`) || Host(`') }}`)"
+  "traefik.http.routers.{{ docker_service_name }}.tls.certresolver": 'le'

roles/docker/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart docker
+  systemd:
+    name: docker.service
+    state: restarted

roles/docker/tasks/main.yml

@@ -25,7 +25,7 @@
     url: 'https://download.docker.com/linux/debian/gpg'
 - name: Add docker repo
   apt_repository:
-    repo: "deb [arch={{ dpkg_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable"
+    repo: "deb [arch={{ dpkg_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
     filename: 'docker'
     mode: '644'
 

roles/dokuwiki/README.md

@@ -0,0 +1 @@
+Sets up a dokuwiki docker container.

roles/dokuwiki/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+dokuwiki_wiki_name: DokuWiki
+dokuwiki_admin_email: "{{ admin_email }}"

roles/dokuwiki/meta/argument_specs.yml

@@ -0,0 +1,45 @@
+---
+
+argument_specs:
+  main:
+    short_description: DokuWiki container
+    description: "Sets up a DokuWiki docker container."
+    options:
+      dokuwiki_wiki_name:
+        description: Name of the DokuWiki site
+        type: str
+        reuired: false
+        default: DokuWiki
+      dokuwiki_admin_password:
+        description: Password of dokuwiki admin user
+        type: str
+        required: true
+      dokuwiki_admin_email:
+        description: Email address of dokuwiki admin user
+        type: str
+        required: false
+        default: "{{ admin_email }}"
+
+      # All options after this will be passed directly to the container role
+      docker_service_suffix:
+        description: "Passed to container role"
+        required: false
+      docker_host_user:
+        description: "Passed to container role"
+        required: false
+
+      docker_volume_type:
+        description: "Passed to container role"
+        required: false
+      reverse_proxy_type:
+        description: "Passed to container role"
+        required: false
+      ports:
+        description: "Passed to container role"
+        required: false
+      docker_vhost_domains:
+        description: "Passed to container role"
+        required: false
+      docker_entrypoint:
+        description: "Passed to container role"
+        required: false

roles/dokuwiki/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Dokuwiki container
+  import_role:
+    name: container
+  vars:
+    docker_service: dokuwiki
+    docker_image: bitnami/dokuwiki
+    docker_image_http_port: 8080
+    docker_mounts:
+      - name: data
+        path: /bitnami/dokuwiki
+    docker_env:
+      DOKUWIKI_USERNAME: admin
+      DOKUWIKI_FULL_NAME: Admin
+      DOKUWIKI_PASSWORD: "{{ dokuwiki_admin_password }}"
+      DOKUWIKI_EMAIL: "{{ dokuwiki_admin_email }}"
+      DOKUWIKI_WIKI_NAME: "{{ dokuwiki_wiki_name }}"

roles/element/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 dependencies:
-  - docker
+  - role: docker
   - role: uumas.general.reverse_proxy
     vhost_id: element
     vhost_domains: "{{ element_domains }}"

roles/element/tasks/main.yml

@@ -33,4 +33,3 @@
     content: "{{ element_config }}"
     dest: "{{ element_config_volume.Source }}/config.json"
     mode: '644'
-

roles/gitea/meta/main.yml

@@ -25,5 +25,6 @@ dependencies:
       GITEA__mailer__HOST: "{{ smtp_server }}:587"
       GITEA__mailer__FROM: "{{ smtp_from }}"
       GITEA__mailer__MAILER_TYPE: smtp
-      GITERA__mailer__USER: "{{ smtp_user | default(omit) }}"
-      GITERA__mailer__PASSWD: "{{ smtp_pw | default(omit) }}"
+      GITEA__mailer__USER: "{{ smtp_user | default(omit) }}"
+      GITEA__mailer__PASSWD: "{{ smtp_pw | default(omit) }}"
+      GITEA__service__REQUIRE_SIGNIN_VIEW: "{{ gitea_require_signin_view | default(omit) }}"

roles/gitea/tasks/main.yml

@@ -4,16 +4,16 @@
   group:
     name: git
     gid: 2132
-    system: yes
+    system: true
 
 - name: Create git user on host for gitea ssh
   user:
     name: git
     uid: 2132
     group: git
-    system: yes
+    system: true
     home: /var/lib/gitea
-    generate_ssh_key: yes
+    generate_ssh_key: true
   register: git_user
 
 - name: Add git user's own ssh key to its authorized keys

roles/grafana/README.md

@@ -0,0 +1 @@
+Sets up a grafana docker container.

roles/grafana/meta/argument_specs.yml

@@ -0,0 +1,38 @@
+---
+
+argument_specs:
+  main:
+    short_description: Alpine container
+    description: "Sets up an alpine docker container. This role can be used as a template for other roles using the container role."
+    options:
+      database_passwords:
+        description: "Passed to container role"
+        required: true
+        type: dict
+      docker_vhost_domains:
+        description: "Passed to container role"
+        required: true
+        type: dict
+
+      # All options after this will be passed directly to the container role
+      docker_host_user:
+        description: "Passed to container role"
+        required: false
+
+      docker_additional_services:
+        description: "Passed to container role"
+        required: false
+
+      docker_volume_type:
+        description: "Passed to container role"
+        required: false
+      reverse_proxy_type:
+        description: "Passed to container role"
+        required: false
+      ports:
+        description: "Passed to container role"
+        required: false
+      docker_entrypoint:
+        description: "Passed to container role"
+        required: false
+

roles/grafana/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Grafana container
+  import_role:
+    name: container
+  vars:
+    docker_service: grafana
+    docker_image: grafana/grafana
+    docker_image_http_port: 3000
+    docker_volumes:
+      - name: data
+        path: /var/lib/grafana
+    docker_database: postgres
+    docker_env:
+      GF_DATABASE_TYPE: postgres
+      GF_DATABASE_HOST: grafana_db:5432
+      GF_DATABASE_NAME: grafana
+      GF_DATABASE_USER: grafana
+      GF_DATABASE_PASSWORD: "{{ database_passwords.grafana }}"
+      GF_SERVER_DOMAIN: "{{ docker_vhost_domains.grafana[0] }}"
+      GF_SERVER_ROOT_URL: "https://{{ docker_vhost_domains.grafana[0] }}"

roles/hedgedoc/meta/main.yml

@@ -15,4 +15,3 @@ dependencies:
       CMD_ALLOW_ANONYMOUS: "false"
       CMD_ALLOW_ANONYMOUS_EDITS: "true"
       CMD_ALLOW_FREEURL: "true"
-

roles/jitsi/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+jitsi_docker_tag: stable

roles/jitsi/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 dependencies:
-  - docker
+  - role: docker
   - role: uumas.general.reverse_proxy
     vhost_id: jitsi
     vhost_domains:

roles/jitsi/tasks/main.yml

@@ -9,6 +9,14 @@
     jitsi_web_published_ports: ["127.0.0.1:{{ ports.jitsi_http }}:80"]
   when: reverse_proxy_type != 'traefik'
 
+- name: Reset jitsi meet prosody published ports variable
+  set_fact:
+    jitsi_prosody_published_ports: []
+- name: Set jitsi meet prosody published ports variable
+  set_fact:
+    jitsi_prosody_published_ports: ["127.0.0.1:{{ ports.jitsi_prosody_http }}:5280"]
+  when: ports.jitsi_prosody_http is defined
+
 - name: Include traefik vars
   include_vars: traefik.yml
   when: reverse_proxy_type == 'traefik'
@@ -16,7 +24,7 @@
 - name: Jitsi meet web
   docker_container:
     name: 'jitsi_meet_web'
-    image: 'jitsi/web:latest'
+    image: "jitsi/web:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     published_ports: "{{ jitsi_web_published_ports | default(omit) }}"
@@ -41,25 +49,13 @@
           - meet.jitsi
   register: jitsi_meet_web_out
 
-- set_fact:
-    jitsi_meet_web_config_volume: "{{ jitsi_meet_web_out.container.Mounts | selectattr('Destination', 'equalto', '/config') | join }}"
-
-- name: Disable recording and livestreaming
-  lineinfile:
-    path: "{{ jitsi_meet_web_config_volume.Source }}/config.js"
-    regexp: "^    (\/\/ )?{{ item }}: .*,$"
-    line: "    {{ item }}: false,"
-    state: present
-  loop:
-    - fileRecordingsEnabled
-    - liveStreamingEnabled
-
 - name: Jitsi meet prosody
   docker_container:
     name: 'jitsi_meet_prosody'
-    image: 'jitsi/prosody:latest'
+    image: "jitsi/prosody:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
+    published_ports: "{{ jitsi_prosody_published_ports }}"
     env:
       PUBLIC_URL: "https://{{ jitsi_domain }}"
       TZ: "{{ timezone }}"
@@ -69,10 +65,16 @@
       JICOFO_AUTH_PASSWORD: "{{ jitsi_pw.jicofo_auth }}"
       JVB_AUTH_USER: jvb
       JVB_AUTH_PASSWORD: "{{ jitsi_pw.jvb_auth }}"
+      TURN_CREDENTIALS: "{{ turn_secret | default(omit) }}"
+      TURN_HOST: "{{ turn_domain | default(omit) }}"
+      TURN_PORT: "{{ '443' if turn_domain is defined else omit }}"
+      TURNS_HOST: "{{ turn_domain | default(omit) }}"
+      TURNS_PORT: "{{ '443' if turn_domain is defined else omit }}"
       XMPP_DOMAIN: meet.jitsi
       XMPP_AUTH_DOMAIN: auth.meet.jitsi
       XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.jitsi
       XMPP_MUC_DOMAIN: muc.meet.jitsi
+      XMPP_MODULES: 'muc_census'
     restart_policy: always
     exposed_ports:
       - '5222'
@@ -85,7 +87,7 @@
 - name: Jitsi meet jicofo
   docker_container:
     name: 'jitsi_meet_jicofo'
-    image: 'jitsi/jicofo:latest'
+    image: "jitsi/jicofo:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     env:
@@ -108,7 +110,7 @@
 - name: Jitsi meet video bridge
   docker_container:
     name: 'jitsi_meet_jvb'
-    image: 'jitsi/jvb:latest'
+    image: "jitsi/jvb:{{ jitsi_docker_tag }}"
     pull: true
     container_default_behavior: no_defaults
     published_ports:
@@ -132,4 +134,3 @@
       - name: meet.jitsi
         aliases:
           - meet.jitsi
-

roles/keycloak/meta/main.yml

@@ -20,4 +20,3 @@ dependencies:
       KC_DB_URL: jdbc:postgresql://keycloak_db/keycloak
       KC_DB_USERNAME: keycloak
       KC_DB_PASSWORD: "{{ database_passwords.keycloak }}"
-

roles/prometheus/README.md

@@ -0,0 +1 @@
+Sets up a prometheus docker container.

roles/prometheus/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+
+prometheus_scrape_interval: 5s
+prometheus_evaluation_interval: 15s
+prometheus_install_grafana: false
+prometheus_hcloud_relabel_configs: []

roles/prometheus/meta/argument_specs.yml

@@ -0,0 +1,73 @@
+---
+
+argument_specs:
+  main:
+    short_description: Prometheus docker container
+    options:
+      prometheus_scrape_interval:
+        description: Interval how often prometheus will scrape the monitoring targets
+        type: str
+        required: false
+        default: 5s
+      prometheus_evaluation_interval:
+        description: Interval how often prometheus will evaluate the scraped metrics against defined conditions
+        type: str
+        required: false
+        default: 15s
+      prometheus_hcloud_token:
+        description: Access token for hetzner cloud service discovery. It will be enabled if this variable is defined
+        type: str
+        required: false
+      prometheus_hcloud_relabel_configs:
+        description: Relabel configs for hcloud
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          source_labels:
+            type: list
+            required: true
+            elements: str
+          target_label:
+            type: str
+            required: true
+          replacement:
+            type: str
+            required: false
+      prometheus_install_grafana:
+        description: If true, installs grafana in the same docker network as prometheus and configures it with prometheus as data source
+        type: bool
+        required: false
+        default: false
+
+      # All options after this will be passed directly to the container role
+      docker_service_suffix:
+        description: "Passed to container role"
+        required: false
+      docker_host_user:
+        description: "Passed to container role"
+        required: false
+
+      database_passwords:
+        description: "Passed to container role"
+        required: false
+      docker_additional_services:
+        description: "Passed to container role"
+        required: false
+
+      docker_volume_type:
+        description: "Passed to container role"
+        required: false
+      reverse_proxy_type:
+        description: "Passed to container role"
+        required: false
+      ports:
+        description: "Passed to container role"
+        required: false
+      docker_vhost_domains:
+        description: "Passed to container role"
+        required: false
+      docker_entrypoint:
+        description: "Passed to container role"
+        required: false

roles/prometheus/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Prometheus container
+  import_role:
+    name: container
+  vars:
+    docker_service: prometheus
+    docker_image: prom/prometheus
+    reverse_proxy_type: none
+    docker_volumes:
+      - name: data
+        path: /prometheus
+      - template: prometheus.yml
+        path: /etc/prometheus/prometheus.yml
+      
+- name: Grafana container for prometheus
+  include_role: 
+    name: grafana
+  vars:
+    docker_networks: 
+      - name: prometheus
+  when: prometheus_install_grafana

roles/prometheus/templates/prometheus.yml.j2

@@ -0,0 +1,34 @@
+---
+
+# my global config
+global:
+  scrape_interval: {{ prometheus_scrape_interval }}
+  evaluation_interval: {{ prometheus_evaluation_interval }}
+
+# Alertmanager configuration
+alerting:
+  alertmanagers:
+    - static_configs:
+        - targets:
+          # - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+  # - "first_rules.yml"
+  # - "second_rules.yml"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  - job_name: "prometheus"
+    static_configs:
+      - targets: ["localhost:9090"]
+
+{% if prometheus_hcloud_token is defined %}
+  - job_name: hcloud
+    hetzner_sd_configs:
+      - role: hcloud
+        authorization:
+          credentials: {{ prometheus_hcloud_token }}
+    relabel_configs: {{ prometheus_hcloud_relabel_configs }}
+{% endif %}

roles/unifi/meta/main.yml

@@ -11,4 +11,3 @@ dependencies:
     docker_env:
       UNIFI_HTTPS_PORT: "{{ ports.unifi.https }}"
       PORTAL_HTTP_PORT: "8808"
-

roles/wekan/meta/main.yml

@@ -12,4 +12,3 @@ dependencies:
       MONGO_URL: mongodb://wekan_db:27017/wekan
       ROOT_URL: "https://{{ docker_vhost_domains.wekan[0] }}"
       WRITABLE_PATH: /data
-

roles/wekan/tasks/main.yml

@@ -10,3 +10,4 @@
     state: directory
     owner: 999
     group: 999
+    mode: 0755

roles/wordpress/README.md

@@ -0,0 +1 @@
+Installs wordpress in docker and configures cron

roles/wordpress/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+
+wordpress_tag: php8.1
+
+docker_additional_services: []
+
+docker_host_user: false
+wordpress_symlinks: false
+
+wordpress_docker_volumes:
+  - name: html
+    path: /var/www/html

roles/wordpress/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Reset dockerfile variable
+  set_fact:
+    dockerfile: {}
+
+- name: Add memcached php extension to container
+  set_fact:
+    dockerfile: "{{ dockerfile | combine({'run': \
+      ['apt-get update && apt-get install -y libmemcached-dev zlib1g-dev && \
+      pecl install memcached-3.2.0 && docker-php-ext-enable memcached']}, list_merge='append') }}"
+  when: "'memcached' in docker_additional_services"
+
+- name: Add pdo_mysql php extension to container
+  set_fact:
+    dockerfile: "{{ dockerfile | combine({'run': ['docker-php-ext-install -j$(nproc) pdo_mysql']}, list_merge='append') }}"
+  when: "'pdo_mysql' in wordpress_php_extensions"
+
+- name: Include additional volume vars
+  include_vars: "{{ item }}_volume.yml"
+  loop: "{{ wordpress_additional_volumes | default([]) }}"
+
+- name: Wordpress container setup
+  include_role:
+    name: container
+  vars:
+    docker_service: wordpress
+    docker_image: wordpress:{{ wordpress_tag }}
+    docker_image_http_port: 80
+    docker_database: mariadb
+    docker_volumes: "{{ wordpress_docker_volumes + wordpress_www_volume + wordpress_log_volume }}"
+    docker_volume_type: bind
+    docker_env:
+      WORDPRESS_DB_HOST: "{{ docker_service_name }}_db"
+      WORDPRESS_DB_NAME: "{{ docker_service_name }}"
+      WORDPRESS_DB_USER: "{{ docker_service_name }}"
+      WORDPRESS_DB_PASSWORD: "{{ database_passwords[docker_service_name] }}"
+      WORDPRESS_CONFIG_EXTRA: |
+        define('WP_SITEURL', 'https://{{ docker_vhost_domains[docker_service_name][0] }}');
+        define('WP_HOME', 'https://{{ docker_vhost_domains[docker_service_name][0] }}');

roles/wordpress/vars/log_volume.yml

@@ -0,0 +1,5 @@
+---
+
+wordpress_log_volume:
+  - name: logs
+    path: /var/log/apache2

roles/wordpress/vars/www_volume.yml

@@ -0,0 +1,5 @@
+---
+
+wordpress_www_volume:
+  - name: www
+    path: /var/www